Data security can be compromised by exploiting aspects of the underlying network protocols used for transport, specifically, aspects related to the processing and reassembly of data at end host destinations. Protocols such as TCP, IP, UDP, etc. specify how a datagram (i.e., packet, fragment, segment, stream, etc.) is handled during data communication. Variations in transmission, reception, and interpretation may result in different interpretations of reassembled data received at an end host and another inline device or application (e.g., firewall, network security management, intrusion detection, vulnerability assessment, etc.). Protocols may be manipulated in such a manner that this ambiguity can be used to hide the presence of a threat from a security device.
When datagrams are broken into packets, fragments, segments, etc. and transmitted (e.g., using TCP, etc.), an attacker may be able to confuse an intrusion detection system, vulnerability assessment, firewall, or other type of security application. This exploitation of data communication using a particular type of protocol (e.g., IP) may result in the reassembly of data different at an end host destination as opposed to an inline security application. This provides an opportunity to deliver an attack against an end host which is not detected by the security device since it is possible for the attacker to send packets in such a manner that the security device and the end host reassemble the traffic differently. In order to prevent this, a security device must be able to accurately process the packets in the same manner as the end host. Given the size and scope of the problem, efficiency of such processing is also important,
Thus, what is needed is a solution for detecting threats despite the use of such methods (evasion by fragmentation) while optimizing packet reassembly.